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Abstract 

This  grant  aims  to  improve  the  guarantees  offered  by  both  language-based 
information  security  mechanisms,  and  operating  system  information  security 
mechanisms.  It  seeks  to  do  so  by  investigating  interactions  between  language-based 
and  OS  mechanisms  for  information  security,  and  exploiting  these  interactions  both 
to  improve  the  precision  of  security  enforcement,  and  to  provide  greater  assurance 
of  information  security. 

This  grant  focuses  on  two  key  projects:  language-based  control  of  authority;  and 
formal  guarantees  for  the  correctness  of  audit  information. 

Highlights  of  the  reporting  period: 

•  Design,  implementation,  and  release  of  Shill,  a  secure  shell  scripting 
language.  See  http: //shill-lang.org/. 

•  Design  and  implementation  an  extensible  framework  for  authority  control, 
capable  of  expressing  and  composing  many  existing  and  novel  access  control 
mechanisms. 

•  Introduced  formal  definition  for  the  correctness  of  audit  logs,  and  designed 
and  implemented  an  approach  to  declare  audit  policies  and  automatically 
ensure  that  correct  audit  logs  are  generated  during  program  execution. 

•  Explored  the  use  of  declarative  policies  on  capabilities  to  ensure  correct 
usage,  including  access-control  and  information-flow  policies  that  restrict 
propagation  and  use  of  capabilities. 

•  Seven  peer-reviewed  publications,  including  one  journal  article,  and  five  in 
top  security  and  programming  language  conferences. 

1.  Moore,  S.,  C.  Dimoulas,  M.  Flatt,  R.  B.  Findler,  and  S.  Chong  (2016, 
October).  Extensible  access  control  with  authorization  contracts.  In 
Proceedings  of  the  29th  Annual  ACM  SIGPLAN  Conference  on  Object- 
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Oriented  Programming  Languages,  Systems,  Languages,  and 
Applications,  New  York,  NY,  USA.  ACM  Press.  To  appear. 

2.  Amir-Mohammadian,  S.,  S.  Chong,  and  C.  Skalka  (2016,  April).  Correct 
audit  logging:  Theory  and  practice.  In  5th  International  Conference  on 
Principles  of  Security  and  Trust. 

3.  Chong,  S.  and  R.  van  der  Meyden  (2015,  December).  Using 
architecture  to  reason  about  information  security.  ACM  Transactions 
on  Information  and  System  Security  18(2). 

4.  Askarov,  A.,  S.  Moore,  C.  Dimoulas,  and  S.  Chong  (2015,  July). 
Cryptographic  enforcement  of  language-based  erasure.  In  Proceedings 
of  the  28th  IEEE  Computer  Security  Eoundations  Symposium, 
Piscataway,  NJ,  USA.  IEEE  Press. 

5.  Johnson,  A.,  L.  Waye,  S.  Moore,  and  S.  Chong  (2015,  June).  Exploring 
and  enforcing  security  guarantees  via  program  dependence  graphs.  In 
Proceedings  of  the  36th  ACM  SIGPLAN  Conference  on  Programming 
Language  Design  and  Implementation,  New  York,  NY,  USA,  pp.  291- 
302.  ACM  Press. 

6.  Moore,  S.,  C.  Dimoulas,  D.  King,  and  S.  Chong  (2014,  October).  Shill:  A 
secure  shell  scripting  language.  In  11th  USENIX  Symposium  on 
Operating  Systems  Design  and  Implementation.  USENIX. 

7.  Dimoulas,  C.,  S.  Moore,  A.  Askarov,  and  S.  Chong  (2014,  June). 
Declarative  policies  for  capability  control.  In  Proceedings  of  the  27th 
IEEE  Computer  Security  Eoundations  Symposium,  Piscataway,  NJ,  USA. 
IEEE  Press. 

•  Support  of  two  graduate  students,  an  undergrad,  and  a  postdoctoral  fellow 

o  Including  one  PhD  dissertation  ("Software  Contracts  for  Security",  by 
Scott  Moore)  and  one  senior  thesis. 

•  Outreach 

o  Many  talks  (at  least  6  by  PI  Chong)  on  Shill  and  related  research, 
including  at  Cornell  University,  Nil  Shonan  (Japan),  and  Brown 
University. 

o  Postdoctoral  Fellow  Christos  Dimoulas  attended  a  2014  Dagstuhl 
Seminar  on  "Scripting  Languages  and  Frameworks:  Analysis  and 
Verification",  and  presented  work  on  Shill. 

o  Graduate  student  Scott  Moore  attended  the  2014  Vail  Computer 
Elements  Workshop  (VCEW)  and  presented  preliminary  work  on 
Shill. 

•  Shill  publicly  released,  available  via  http: //shill-lang.org/. 

•  Provisional  patent  granted  on  core  technology  underlying  Shill. 

•  Awarded  a  Physical  Sciences  and  Engineering  Accelerator  grant  by  Harvard 
University  to  help  develop  the  technology  underlying  Shill. 
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Christos  Dimoulas  (Postdoctoral  research  fellow) 

Scott  Moore  (Graduate  student) 
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Daniel  King  (Graduate  student) 
Daniel  Bradley  (Undergraduate) 


Collaborators 

Christian  Skalka  (Associate  Professor,  University  of  Vermont) 


Introduction 

The  objective  of  this  grant  is  to  improve  the  guarantees  offered  by  both  language- 
based  information  security  mechanisms,  and  operating  system  information  security 
mechanisms.  It  seeks  to  do  so  by  investigating  interactions  between  language-based 
and  OS  mechanisms  for  information  security,  and  exploiting  these  interactions  both 
to  improve  the  precision  of  security  enforcement,  and  to  provide  greater  assurance 
of  information  security. 

Language-based  information  security  uses  programming  language  abstractions  and 
techniques  to  reason  about  and  enforce  information  security.  Language-level 
abstractions  and  mechanisms  can  provide  strong  fine-grained  application-specific 
information  security  guarantees.  By  contrast,  operating  system  (OS)  information 
security  mechanisms  use  OS-level  abstractions  to  provide  isolation  and  protection 
for  processes  executing  in  a  system;  recent  operating  system  mechanisms  can 
provide  fine-grained  isolation  and  protection. 

Synergies  between  programming  language  and  OS  mechanisms  provide  opportunity 
to  improve  information  security  guarantees  in  at  least  two  ways:  (1)  increasing  the 
precision  of  operating-system  mechanisms;  and  (2)  improving  the  assurance  of 
language-based  mechanisms. 

The  sponsored  work  has  focused  on  two  key  projects:  language-based  control  of 
authority,  and  reliable  auditing.  In  the  remainder  of  the  report,  we  describe 
progress  in  the  last  year  on  these  two  projects,  and  then  provide  a  summary  of  the 
research  performed  over  the  lifetime  of  this  grant. 


Language-based  control  of  authority 

The  Principle  of  Least  Privilege  suggests  that  software  should  be  executed  with  no 
more  authority  than  it  requires  to  accomplish  its  task.  Current  security  tools  make  it 
difficult  to  apply  this  principle:  they  either  require  significant  modifications  to 
applications  or  do  not  facilitate  reasoning  about  combining  untrustworthy 
components. 

We  have  explored  using  programming  language  techniques  to  specify  and  enforce 
restrictions  on  the  authority  of  components.  Previously  under  this  award,  we 
explored  declarative  policies  to  restrict  the  use  of  capabilities,  and  designed  Shill,  a 
secure  shell  scripting  language.  In  this  last  year  of  the  project,  we  focused  both  on 


DISTRIBUTION  A:  Distribution  approved  for  public  release. 


extending  the  usability  of  Shill,  and  also  exploring  the  foundations  of  authority 
control.  For  the  usability  of  Shill,  we  have  started  a  port  of  Shill  to  the  Linux 
operating  system,  which  will  greatly  enhance  the  applicability  of  the  tool. 

In  addition,  we  have  received  a  provisional  patent  ("Method  For  End-To-End 
Enforcement  Of  Security  Policies  In  A  Scripting  Language",  Application  number 
62243900)  for  some  of  the  key  concepts  embodied  in  Shill. 

Investigation  of  the  foundations  of  authority  control  lead  to  the  recognition  that 
existing  programming  language  access  control  frameworks  do  not  meet  the  needs  of 
all  software  components,  and  the  development  of  an  expressive  framework  to 
implement  access  control  monitors  for  components.  The  basis  of  the  framework  is  a 
novel  concept:  the  authority  environment.  An  authority  environment  associates 
rights  with  an  execution  context.  The  building  blocks  of  access  control  monitors  in 
our  framework  are  authorization  contracts:  software  contracts  that  manage 
authority  environments.  We  implemented  a  diverse  set  of  existing  access  control 
mechanisms  and  writing  custom  access  control  monitors  for  three  realistic  case 
studies,  demonstrating  the  expressiveness  and  applicability  of  the  framework.  This 
work  will  be  published  at  OOPSLA  2016,  a  top-tier  programming  language 
conference. 

In  addition,  this  award  has  supported  additional  relevant  research,  including  the  use 
of  application  architecture  to  enforce  high-level  application-specific  information 
security  guarantees  (Chong  and  van  der  Meyden,  2015),  the  use  of  cryptography  to 
enforce  expressive  information  security  policies  (Askarov  et  al.,  2015),  and 
sophisticated  program  analysis  techniques  to  discover  and  enforce  application- 
specific  security  guarantees  (Johnson  et  al.,  2015). 

Summary  of  Shill 

Shill  scripts  enable  compositional  reasoning  about  security  through  contracts  that 
limit  the  effects  of  script  execution,  including  the  effects  of  programs  invoked  by  the 
script.  Shill  contracts  are  declarative  security  policies  that  act  as  documentation  for 
consumers  of  Shill  scripts,  and  are  enforced  through  a  combination  of  language 
design  and  sandboxing. 

In  work  under  this  grant  in  previous  years,  we  implemented  a  prototype  of  Shill  for 
FreeBSD.  We  have  been  developing  a  Linux  version  of  Shill. 

Shill  uses  declarative  security  policies  that  describe  and  limit  the  effects  of  script 
execution,  including  effects  of  arbitrary  programs  invoked  by  the  script. 

These  declarative  security  policies  can  be  used  by  producers  of  software  to  provide 
fine-grained  descriptions  of  the  authority  the  software  needs  to  execute.  This,  in 
turn,  allows  consumers  of  software  to  inspect  the  software's  required  authority,  and 
make  an  informed  decision  to  execute  the  software,  reject  the  software,  or  apply  a 
more  restrictive  policy  on  the  software.  The  Shill  runtime  system  ensures  that  script 
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execution  adheres  to  the  declared  security  policy,  providing  a  simple  mechanism  to 
restrict  the  authority  of  software. 

Two  key  features  enable  Shill  declarative  security  policies:  language-level 
capabilities  and  contracts.  Shill  scripts  access  system  resources  only  through 
capabilities:  unforgeable  tokens  that  confer  privileges  on  resources.  Shill  scripts 
receive  capabilities  only  from  the  script  invoker;  Shill  scripts  cannot  store  or 
arbitrarily  create  capabilities.  Moreover,  Shill  uses  capability-based  sandboxes  to 
control  the  execution  of  arbitrary  software.  Thus,  the  capabilities  that  a  user  passes 
to  a  Shill  script  limit  the  script’s  authority,  including  any  programs  it  invokes.  Shill's 
contracts  specify  what  capabilities  a  script  requires  and  how  it  intends  to  use  them. 
Shill's  runtime  and  sandboxes  enforce  these  contracts,  hence  they  serve  as  fine¬ 
grained,  expressive,  declarative  security  policies  that  bound  the  effects  of  a  script. 

Personnel 

This  grant  has  supported  postdoctoral  research  fellow  Christos  Dimoulas  (who 
joined  the  project  in  January  2013)  and  graduate  student  Scott  Moore  (who  joined 
the  project  in  Fall  2013).  Both  Dimoulas  and  Moore  this  year  have  been  working  on 
the  design  and  implementation  of  Shill,  and  formal  foundations  for  the  control  of 
authority  in  computer  systems.  Moore  graduated  in  Summer  2016,  and  is  continuing 
to  develop  the  technology  underlying  Shill. 


Integration  of  language-level  and  OS  mechanisms  for 
provenance 

Provenance  is  the  history  of  computation.  Audit  logs  are  a  form  of  provenance,  as 
are  execution  traces,  and  meta-data  such  as  version  information  recorded  by  a 
version-control  system,  or  timestamp  and  ownership  information  recorded  by  a  file 
system.  Auditing  underlies  retroactive  security  frameworks,  and  has  become 
increasingly  important  to  the  theory  and  practice  of  cybersecurity. 

In  systems  where  auditing  is  used,  programs  are  typically  instrumented  to  generate 
audit  logs,  based  on  some  formal  or  informal  auditing  policy.  However,  even  if 
auditing  policies  are  formal,  it  is  difficult  to  ensure  that  execution  of  manually 
instrumented  programs  will  generate  a  "correct"  audit  log  and  guarantee  expected 
accountability. 

In  this  project,  we  investigate  language-level  mechanisms  for  specifying  and 
enforcing  audit  policies,  i.e.,  specifying  what  information  should  be  recorded  in  an 
audit  log,  and  automatically  instrumenting  the  program  to  provably  capture  that 
information. 

In  collaboration  with  Christian  Skalka  (UVM),  we  have  developed  a  novel  semantics 
of  auditing  based  on  information  algebra,  along  with  proof  techniques  for  ensuring 
correctness  of  automated  program  instrumentation  strategies,  aka  retrofitting.  We 
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have  defined  a  retrofitting  strategy  that  supports  a  general  class  of  auditing  policies, 
and  proved  that  this  retrofitting  strategy  is  guaranteed  to  correctly  enforce  a 
general  class  of  user-specified  auditing  policies.  Moreover,  we  have  implemented 
this  model  for  the  Java  programming  language,  and  applied  it  to  audit  an  open- 
source  medical  records  application.  This  work  appeared  at  the  5th  International 
Conference  on  Principles  of  Security  and  Trust  (POST),  in  April  2016. 

Personnel 

We  are  collaborating  with  Christian  Skalka  (UVM)  on  this  work. 
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